imvrgwsk.exe

Quesadilla Interactive

The file imvrgwsk.exe by Quesadilla Interactive has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The file has been seen being downloaded from intva31.parkplaceschema.info.
Publisher:
Quesadilla Interactive  (signed and verified)

MD5:
e09e64395ba377358767ef07ba958156

SHA-1:
354d70576024acfb9efd1a94714b5c093954091e

SHA-256:
1759c754f1e93400a455e5834682de522de57057ac3d8d823299672ac47946d8

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 2:41:09 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Vitallia.Downtown
16.4.28.16

File size:
126.6 KB (129,664 bytes)

Common path:
C:\users\{user}\appdata\local\temp\imvrgwsk.exe.part

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
3/8/2016 2:17:38 PM

Valid to:
3/8/2017 2:17:38 PM

Subject:
CN=Quesadilla Interactive, O=Quesadilla Interactive, L=SAN FRANCISCO, S=California, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
017689D7557551E3

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.24

CTPH (ssdeep):
1536:NVqazqN2qAhFmwDaaoXazFb3R91Lj2k8Gh4sk/z+uRsS3rv:/vqiFmwyXahbh9N18GMb+uRsqD

Entry address:
0x14C0

Entry point:
83, EC, 0C, C7, 05, E4, 31, 41, 00, 01, 00, 00, 00, E8, 9E, A6, 00, 00, 83, C4, 0C, E9, A6, FC, FF, FF, 8D, B6, 00, 00, 00, 00, 83, EC, 0C, C7, 05, E4, 31, 41, 00, 00, 00, 00, 00, E8, 7E, A6, 00, 00, 83, C4, 0C, E9, 86, FC, FF, FF, 90, 90, 90, 90, 90, 90, 55, 89, E5, 56, 53, 83, EC, 10, 8B, 1D, 84, 51, 41, 00, C7, 04, 24, 00, E0, 40, 00, FF, D3, 89, C6, 83, EC, 04, B8, 00, 00, 00, 00, 85, F6, 74, 29, C7, 04, 24, 00, E0, 40, 00, FF, 15, A0, 51, 41, 00, 83, EC, 04, A3, 90, 35, 41, 00, C7, 44, 24, 04, 13, E0...
 
[+]

Entropy:
5.7955

Code size:
46 KB (47,104 bytes)

The file imvrgwsk.exe has been seen being distributed by the following URL.

Remove imvrgwsk.exe - Powered by Reason Core Security